Chapter 3: Configuring Scan Engine Updates

Applies to: Forefront Security for SharePoint

Topic Last Modified: 2008-03-06

Keeping your scan engines up-to-date is critical in the fight against viruses. The antivirus engines provided within Forefront Security for SharePoint work 24 hours a day to provide virus detection signatures in a timely fashion. If you do not update your engines frequently, you lose the benefit of their efforts.

When you install Forefront Security for SharePoint, it automatically downloads engine updates for each scan engine. But because the engine scheduler is disabled by default, you need to set the update schedules for each engine. After Forefront Security for SharePoint downloads a scan engine update, it is immediately available for use. We recommend that you schedule updates and do a manual update before scanning with an engine that you have not used before.

It is important to note that you must individually enable and set the update schedule and frequency for each engine. During file scanner updates, only the engine being updated is taken offline; the other engines continue to scan for viruses.

Select the name of the engine whose update you are configuring.
Make sure it is Enabled. If it is not, click Enable at screen right.

To set the primary path to downloading updates, click Primary and type a path name in the Network Update Path box.
You can change the default path to point to another HTTP update site, or if you prefer to use Universal Naming Convention (UNC) updating, type the UNC path to another SharePoint server.

Note:

To restore the default server path, right-click in the Network Update Path box, and select Default HTTP Path from the list.

To set the secondary update path, click Secondary and type a path name into the Network Update Path box.
If the primary path fails for any reason, Forefront Security for SharePoint uses the secondary path you specify. (It is blank by default.) You can set the secondary update path as you did for the primary update path.

Even if you are not using a particular engine, set it for regular updates so that if you ever need to enable it, the signature files will be current.

Set the update schedule for each engine based on how often it releases signatures. Some virus labs release regular signatures more often than others (although all labs respond to major outbreaks with more frequent updates). For example, the Kaspersky lab releases a new update nearly every hour, so set the update for that engine accordingly. To find information on average update times for individual engines, go to www.avtest.org. As a general rule, we recommend that you schedule checking for updates at least once an hour to lower the risk of a new threat to your network.

Stagger the updates in five-minute intervals. (This is also the default.)

Use a time that does not end in 0 or 5 (for example, at 1:05 or 11:30), because this is a popularly used convention. Instead pick a time such as 4:03 or 19:42.

Scheduling frequency. Your options are:

Once: Updates only once, on the date and time you specify.

Daily: Updates every day at the time intervals you specify.

Weekly: Updates every week on the same day at the time interval you specify.

Monthly: Updates every month on the same day at the time interval you specify.

For example, if you choose a Repeat of 1 hour on a weekly schedule (a Tuesday, say), the system will check for updates every hour every Tuesday. If you do not check Repeat, Forefront Security for SharePoint will only check for updates once on the day you choose.

Follow this step when you enable a new scan engine or for quick checks between regularly scheduled updates. If an update exists, Forefront Security for SharePoint will download it and start using it immediately.

Performing updates at startup ensures that if any server running Forefront Security for SharePoint is inoperative for a period of time, the program will immediately begin to download new scan engines when it starts up.

If you disable a scanning engine, you are actually disabling the updating of that engine, not its use. This means that the engine will continue to scan, but its signature files will not be kept current.

Under SETTINGS, click General Options.

Select the name of the engine whose update you want to disable, and click Disable.

If you have more than one server running Forefront Security for SharePoint, consider using a distributed update mechanism. The most common method of distributing updates is to have one server (the hub) receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers (the spokes) in your environment. This saves on Internet bandwidth and can make the process of updating quicker and more efficient.

You can do this in several ways that include using Microsoft Forefront Server Security Management Console. For information, see “Distributing Updates” in the “SharePoint File Scanner Updating” chapter of the Forefront Security for SharePoint User Guide.